From acc77c4757775bb7689ba769465951a65523db75 Mon Sep 17 00:00:00 2001 From: Dave Olson Date: Thu, 12 Apr 2018 23:57:55 -0700 Subject: Add a new package radius-shell with a setcap radius_shell front end Ticket: CM-19457 Reviewed By: nobody Testing Done: multiple logins, separately and simultaneously Because we can't determine privilege level separately and up front with the RADIUS protocol, unlike TACACS+, we wind up with all logins as the same unprivileged radius uid. But we can set the auid (accounting or auditing uid) correctly, and a separate setcap radius_shell can be set as the login shell, and can fixup the uid before running /bin/bash. To set the auid correctly, we need to know the privileged radius user account. Added mapped_priv_user to the configuration file to handle that. mapped_priv_user has to match the account used by libnss-mapuser. That's a bit ugly, but a common config file would be uglier. The radius shell is in a new package, since it has binaries. The new package is radius-shell. In it's post actions, it changes the radius users shell to radius_shell if they are present, and back to /bin/bash on package removal. It uses capabilities, tries to be very restrictive in what it changes, and depends on being installed setcap cap_setuid Make the existing libpam-radius-auth package depend on radius-shell, so it will pull in the new package on upgrades. Also fixed another issue with reparsing changed config file, have to handle case where there were servers defined, but aren't any longer. --- debian/control | 13 +++++++++++-- debian/radius-shell.install | 1 + debian/radius-shell.manpages | 1 + debian/radius-shell.postinst | 29 +++++++++++++++++++++++++++++ debian/radius-shell.postrm | 23 +++++++++++++++++++++++ debian/rules | 4 +++- 6 files changed, 68 insertions(+), 3 deletions(-) create mode 100644 debian/radius-shell.install create mode 100644 debian/radius-shell.manpages create mode 100644 debian/radius-shell.postinst create mode 100644 debian/radius-shell.postrm (limited to 'debian') diff --git a/debian/control b/debian/control index b70c948..b8022db 100644 --- a/debian/control +++ b/debian/control @@ -3,13 +3,22 @@ Maintainer: dev-support Section: libs Priority: extra Standards-Version: 3.9.6 -Build-Depends: libpam0g-dev | libpam-dev, debhelper (>= 9~), libaudit-dev +Build-Depends: libpam0g-dev | libpam-dev, debhelper (>= 9~), libaudit-dev, libcap-dev Package: libpam-radius-auth Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, libaudit1 +Depends: ${shlibs:Depends}, ${misc:Depends}, libaudit1, radius-shell Description: PAM RADIUS client authentication module This is the PAM to RADIUS authentication module. It allows any PAM-capable machine to become a RADIUS client for authentication and accounting requests. You will, however, need to supply your own RADIUS server to perform the actual authentication + +Package: radius-shell +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libaudit1, libcap2-bin, libcap2, libnss-mapuser +Description: Shell front-end used for radius users. + This provides a uid fixup program. Due to the limitations of the + RADIUS protocol, we can't tell whether a user is privileged until + after authentication. This packages provides a shell front-end that + sets the uid to the auid, if set and > 1000, and not already matching. diff --git a/debian/radius-shell.install b/debian/radius-shell.install new file mode 100644 index 0000000..7671d36 --- /dev/null +++ b/debian/radius-shell.install @@ -0,0 +1 @@ +radius_shell sbin diff --git a/debian/radius-shell.manpages b/debian/radius-shell.manpages new file mode 100644 index 0000000..bb1a970 --- /dev/null +++ b/debian/radius-shell.manpages @@ -0,0 +1 @@ +radius_shell.8 diff --git a/debian/radius-shell.postinst b/debian/radius-shell.postinst new file mode 100644 index 0000000..55ebd22 --- /dev/null +++ b/debian/radius-shell.postinst @@ -0,0 +1,29 @@ +#! /bin/sh + +set -e + +# we depend on libnss-mapuser, so that the radius group will have been +# created before this script runs. + +case "$1" in + configure) + radshell=/sbin/radius_shell + chmod 750 $radshell + chgrp radius_users $radshell + setcap cap_setuid+ep $radshell + # The users will have been created by the libnss-mapuser package + # and possibly by an older version, so change the shells here. + # This also prevents a loop in package install ordering dependencies + for usr in radius_user radius_priv_user; do + uent="$(getent -s compat passwd $usr 2>/dev/null)" || true + [ -z "$uent" ] && continue + case "$uent" in + *${radshell}*) ;; + *) chsh -s $radshell $usr ;; + esac + done + ;; +esac + +#DEBHELPER# + diff --git a/debian/radius-shell.postrm b/debian/radius-shell.postrm new file mode 100644 index 0000000..89ae97f --- /dev/null +++ b/debian/radius-shell.postrm @@ -0,0 +1,23 @@ +#! /bin/sh + +set -e + +# we depend on libnss-mapuser, so that the radius group will have been +# created before this script runs. + +case "$1" in + remove|purge) + # fixup the shell for the users we may have modified on installation, + # if still present, and using our shell + for usr in radius_user radius_priv_user; do + uent="$(getent -s compat passwd $usr 2>/dev/null)" || true + [ -z "$uent" ] && continue + case "$uent" in + *${radshell}*) chsh -s /bin/bash $usr ;; + esac + done + ;; +esac + +#DEBHELPER# + diff --git a/debian/rules b/debian/rules index 52172f8..3039568 100755 --- a/debian/rules +++ b/debian/rules @@ -21,8 +21,10 @@ export CFLAGS # all the installing is here, not in Makefile. # The configuration file with the share secrets needs to be 600 override_dh_install: - dh_install -v --sourcedir=. + dh_install -v --sourcedir=. --package=libpam-radius-auth + dh_install -v --sourcedir=. --package=radius-shell chmod 600 debian/*/${PAM_CONF_FILE} + chmod 750 debian/*/sbin/radius_shell override_dh_fixperms: dh_fixperms --exclude ${PAM_CONF_FILE} -- cgit v1.2.3